IETF Logo Mail Archive

[Iot-onboarding] BRSKI : proximity registrar cert and MITM question

"M. Ranganathan" <mranga@gmail.com> Tue, 18 February 2020 22:24 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57E4120807 for <iot-onboarding@ietfa.amsl.com>; Tue, 18 Feb 2020 14:24:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOJupCkQd7lG for <iot-onboarding@ietfa.amsl.com>; Tue, 18 Feb 2020 14:24:28 -0800 (PST)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50FA3120823 for <iot-onboarding@ietf.org>; Tue, 18 Feb 2020 14:24:28 -0800 (PST)
Received: by mail-io1-xd33.google.com with SMTP id z16so24129038iod.11 for <iot-onboarding@ietf.org>; Tue, 18 Feb 2020 14:24:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hu6sDDuyRnb3mS2h9PrpD6F7q9OMxXj+CHbixhcPXEI=; b=FZD8moPwE5FQTsZh0+2HMABwVPNnYenTra05JpjtY8Nj6flhom9eec+CXCmBtEl7SN n3p8h+rf9ZZP3nbGC2YG1k53yQl4j5thWpDbK51ussQjbT+X32aDDxBn9cYnPqP7XnrJ f+8y14ZYHQXPL7F2IKXyNAdZa+tQ3buChTmu49hdu8CYvivJuEg0y79kDhQv+0Ax34dy BpZT8/pqWSTmuipR/UR3d1PYdyysOnTIgHKTaovPwO0gAGG5H+sdGpO29sUF9JyMrt0L eSDwqg7G42+6sUmQJgciYyKo48zfJ89nvMArqWqt51NBvvDNZtjuYpTauadZp0oXIecG pToA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hu6sDDuyRnb3mS2h9PrpD6F7q9OMxXj+CHbixhcPXEI=; b=aGuAPg2LML4Rz2cBoOeI2zgh37+uHwTefATROdnFBjEF/mfPPljgvhrz7uwr56d1cj Xv2e8Md3U83m+Ujgr5vKe36FKiFE2UOezFXFAaSAWmde+dWILlIrDY+xD5JwDSURRpgp u6gQJwyehEZJsqU+ylOJohJbZ5fCMdOTbfewpnWCzSREeSs/9+KTQuI68uVwW28B3gRM w1gwmm6fKRM3q+tjm2KSrTvZaXcGfr9iWnXH4gQelpJ5x8ENteCrYrquFf2L7kLYqvNP aezIS4sx5BBXaCoJzRWZG5gT1PZ5EtVASoBR/NzMZ+0wrTiFRLc73pDrr2Hqqu0vg+1z 72jg==
X-Gm-Message-State: APjAAAXWbprnIlZ8eyHz69G4JVIVEguq4zmRAmucc/SDJ1ku77VyuahK RBcEJQw2OBbv9FUxK1bJJckZ7tD0AGvCx4RyM+0Ujxwg
X-Google-Smtp-Source: APXvYqwa/5ogL5S/VuI8giF026IaUQkaiTZnPzGrzxFLgo2fpegkBcMR8vmThCAvZSg2qyN9ckf/Pn6nqZ2+uHNZaDc=
X-Received: by 2002:a5e:924c:: with SMTP id z12mr17773250iop.296.1582064667197; Tue, 18 Feb 2020 14:24:27 -0800 (PST)
MIME-Version: 1.0
From: "M. Ranganathan" <mranga@gmail.com>
Date: Tue, 18 Feb 2020 17:23:51 -0500
Message-ID: <CAHiu4JPRyNT=DmykHw6KaU+Q6X_o70Zc_+i0NosM-zU_iiRSZg@mail.gmail.com>
To: iot-onboarding@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/3dp5hZluzS7YKMePBbBIkWHwsZU>
Subject: [Iot-onboarding] BRSKI : proximity registrar cert and MITM question
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 22:24:30 -0000

Hello,

The BRSKI spec says that the pledge needs to send the proximity
registrar certificate when it requests a voucher. This establishes to
the registrar that it is the same pledge with whom it established a
TLS association. Can the server certificate be re-used if a different
pledge connects?

I don't understand the MITM scenario. An example would be helpful.

Thanks

Ranga

-- 
M. Ranganathan

v2.23.0 | Report a Bug | By Email